Privacy Q&A: Alan Westin On Protecting Corporate Data

The way Alan Westin sees it, privacy is not so much a cause or a burden for corporate America as it is a balance—one that he has spent the past four decades helping businesses negotiate. A professor emeritus of public law and government at Columbia University, Westin is regarded as a leading expert on information privacy, both by the Fortune 500 businesses that pay him to act as a consultant and by the Civil Libertarians who have occasionally accused him of being too sensitive to corporate needs.

Westin, the founder and president of the Center for Social & Legal Research, a nonprofit think tank based in Hackensack, N.J., and publisher of the newsletter Privacy & American Business, has been a member of government privacy commissions, testified before legislative committees and regulatory agencies, written books about privacy, and conducted public opinion surveys quoted far and wide.

At a time when companies are trying to wrangle every penny they can out of existing customers—customers who are increasingly fed up with targeted marketing campaigns—CIO asked Westin to direct his attention to the role that the keeper of the customer database—the CIO—plays in managing this conflict. Senior Writer Sarah D. Scalet talked with Westin about that challenge.

CIO: In terms of privacy protection, how has the role of the CIO changed over the years?

Alan Westin: It used to be that whoever was in charge of the information function looked at hardware and software solutions, and the users would just tell her what to do in terms of how data was formatted or delivered. CIOs today adjudicate between marketing and customer relations managers—who want data information brought in from third-party suppliers and want to produce detailed profiles of customers and projects—and the chief privacy officer—who advocates being careful to meet regulations at the state and federal levels.

It sounds like the CIO has to broker the relationship between those conflicting parties.

Yes, but I’m a little concerned about using the word broker because it implies that CIOs have the command role, and they don’t. The command role is going to be either the legal department or top management, which says, OK, we’ve listened to the marketing people, we’ve listened to the privacy officer, and this is what I, the top management, want you, the CIO, to do. I don’t think the CIO is a referee.

Opt-outs or opt-ins are where the rubber hits the road. The company says, If you don’t want to receive this kind of material from us, check this box or call this toll-free number. That information goes into a system that the CIO administers. And against a database composed of 25 million credit card holders, the CIO needs to suppress marketing to the 100,000 or 3 million customers who have said, No, I don’t want that communication. Obviously it raises huge data management issues.

If you get the marketing people and the privacy officer and the CIO together, they can say, We don’t want to give up the opportunity to market related products to our existing marketing database, but we know that there’s a small segment of customers who will be outraged if that happens. The company might set up the following options: 1. Customers can opt out of any contact other than the service delivery that they’ve signed up for; or 2. They could opt out of any telemarketing calls but not opt out of written communication. The CIO’s role is to show how refined programs like that can be implemented.

What is the ultimate goal of this balancing act?

This act gets the maximum number of your customers comfortable with the way you are handling their information and presenting them with options.

What about offering customers the chance to see the information in their records?

That raises a lot of complicated issues because what exactly is it that the consumer gets access to? If it’s just a transaction, that’s not a big problem. But behind transaction records is a marketing database. Most companies have added information from what’s known as ZIP-plus-four databases, which will say that Alan Westin lives in a block in which the average house costs so much, and the ethnic make-up is such and such, and residents are mostly retired and so forth. The issue is, if I want to see what information a company has about me in my credit card file, do I get to see that? Most companies would turn purple at that idea. The Federal Trade Commission had a task force look at the issue, and it was unable to come to any firm conclusion because this issue divides the consumer groups and the business groups so fundamentally.

How does the USA Patriot Act affect the CIO’s role?

An area that’s going to be extremely important for CIOs is the whole question of compliance with demands from the government’s new antiterrorist investigators, who want direct access to companies’ consumer data, under the Patriot Act and CAPPS II [the Transportation Security Administration’s new passenger screening system]. The government is given the legal right to ask for e-mail transactions, financial transactions and various kinds of telephone communications, and as a result, companies are going to be caught in the cross fire. On one hand, they want to comply with the government’s requests because we all understand that this is not a phony danger. On the other hand, they have to worry about the trust of their customers; if customers feel that every time they give information to their bank or credit card company or insurance firm it’s going to the government. We’re just beginning to say, What kind of a system should there be for giving the government access? In the past, that was always under very strict rules set by things such as the Right to Financial Privacy Act of 1978, which said that if the government wants to get that information, it must have a subpoena or a court order. The Patriot Act wiped that away. But where is the control? Where will the safeguards be? The CIO is going to be involved when the federal government comes to Delta Air Lines or American Airlines and says, We want this information from you, and we want it in 30 seconds. I don’t expect the CIO to stand up and say no. The privacy officer has to raise all kinds of questions about what kind of audit trail should be created. (For more information, see “What to Do When Uncle Sam Wants Your Data” at www.cio.com/printlinks.)

If you’re talking about the competing interests of privacy and marketing and so on, when you insert an outside party like the government into the equation, it throws off whatever kind of balance the company was working toward.

That’s correct. But that’s what happened on Sept. 11. If we don’t have access to this kind of information, then the likelihood of our being successful in controlling terrorism is going to be low. I think the Patriot Act is a justified piece of legislation. The issues are always the safeguards and the misuse of information. For example, DARPA’s Total Information Awareness project was a thoughtless and overblown approach that somehow assumed that magic algorithms could be applied that would extract [meaning] from this enormous mass of private-sector data added to public data—that somehow up would pop the bearded face of Osama bin Laden.

How big of an impact do you think the FTC’s Do Not Call list will have on companies?

People in very large numbers are going to sign up for that Do Not Call list, which is a registry of numbers that companies cannot call. However, it will take a high level of care on the CIO’s part to help keep track of those numbers, and if a clerk gets careless or makes a mistake, it could get costly. In a bigger sense, I think this is the beginning of the end of the targeted marketing era. That list is going to be a catalyst that moves companies into a whole consumer permission mode. If you think about it historically, until the 1980s, companies engaged in mass marketing—newspapers, TV, radio and billboard displays—then moved into target marketing. The idea was that we must know you to serve you; and we’re going to collect a lot of profile information; and you should like it because after all we’ll now know that you like to sail, so we’ll tell you about sailboats, or if you like to go to Italy we’ll tell you about Italian vacations. What companies didn’t realize—or if they did, they didn’t care—is that there comes a point where people get saturated by that kind of intrusive marketing. Between telemarketing and spam, you have about as fed up a public as I’ve ever seen on any consumer issue. The strongest piece of evidence is the passage of the Do Not Call list against the immense lobbying of the direct-marketing industry and all its practitioners. Public anger was so great that politicians and legislators just had to respond.

Do you consider yourself an advocate for privacy?

I’m a balance person. I identify dangers to privacy, but my solutions are much more about recognizing the competing values that need to be brought into some kind of harmony. I appreciate the roles of the American Civil Liberties Union, the Electronic Privacy Information Center and the Center for Democracy and Technology in always being the advocates of the total privacy solution, but I would never want to live under their regimes—not that I mind their pointing out dangers in various kinds of new antisurveillance proposals.

I’m a Libra, which is the scales. On one hand this; on the other hand that. If you’re a Libra, balance is what the stars have given you—or cursed you to.